About DNS Changer Malware

Posted: 06/07/2012 in Uncategorized
Tags: ,

  1. Summary

    DNSChanger is a trojan that will change the infected system’s Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites. 

    The trojan is usually a small file (about 1.5 kilobytes) that is designed to change the ‘NameServer’ Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim’s computer will contact the newly assigned DNS server to resolve names of different webservers. 

    Additional Details

    Variant 

    Trojan.Win32.DNSChanger.al 
    Lately we got a few samples of this trojan that were named ‘PayPal-2.5.200-MSWin32-x86-2005.exe’. This trojan was programmed to change the DNS server name of a victim’s computer to 193.227.227.218 address. 

    The Registry key that is affected by this trojan is: 

     [HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces] 
      “NameServer”
    Registry Modifications 
    Creates these keys:

     HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} 
    DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxxHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{random} 
    NameServer = 85.255.xxx.133,85.255.xxx.xxxHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ 
    DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxxHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ 
    NameServer = 85.255.xxx.xxx,85.255.xxx.xxx

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s